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(S//REL) Foreign Intelligence in Support of Dynamic Def 
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B//REL) Use CNE to penetrate the operations of foreign cyber actors 
U) Two major classes of CNE techniques 

• (U) Man-in-the-middle 

• (U) Man-on-the-side 

U//FOUO) Steal their tools, tradecraft, targets and take 
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S//REL) TUTELAGE is a man-in-the-middle technique 



(U//FOUO) Using TUTELAGE to enable active exploitation is integrated 

cyber operations. 
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O Insert hook in 
addition to requested 



© SIGINT 



©Target web connection/ 

| request via SATCOM or Fibe 



© Hook calls to Covert Listening Post 
(LP): 

upload robust implant for sustained 



access 



Active SIGINT 

• Implant targets based on 'selectors' and/or 
behavior 

- e.g. users of al-Mehrab ISP (Mosul) 
who visit al-Hezbah extremist website 

• Requires target Webserver responses be visible 
to passive SIGINT 

• Requires sufficient delay in target web 
connection for the hook to "beat" the response 
back to the target (typically means at least one 
satellite hop) * 

• Requires target's client to be vulnerable tp-eror 
t 



: to the target before © ***•*.. 



• Cycle ©O must get to the target 
occurs 

• Once 'hooked/ the target is exploited with no 
time constraints 

• Different QUANTUM effects have different time 
constra i ntS r 
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(U//FOUO) BOXINGRUMBLE Case Study 
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(S//REL) DNS requests 
entering NIPRnet domain 

- (S//REL) Destination IP not a 
NIPRnet DNS server 

- (S//REL) Domain name not 
within NIPRnet 

(S//REL) DNS behavior of host is 
suspicious but not dangerous 

(TS//SI//REL) TAO uses 
QUANTUMDNS to redirect the 
requesting host 
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(U//FOUO) BOXINGRUMBLE Case Study 
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(TS//SI//REL) TAO establishes itself 
as a trusted C2 node 

(U//FOUO) Captured traffic indicates 
the existence of a bot net 




- (S//REL) Command and control split 
into two layers (C2 and C4) 

- (S//REL) C2 layer has a peer-to-peer 
mesh network topology with direct 
connection to a C4 node 

• (S//REL) C2 nodes connect directly 
to victims as well as through open 
web proxies 
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(U//FOUO) BOXINGRUMBLE Case Study 
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• (TS//SI//REL)TAO C2 server can 
see all bot tasking 

• (TS//SI//REL) TAO C2 server can 
push tasking 

• (S//REL) BOXINGRUMBLE bots 

- (S//REL) ~ 45% Vietnamese dissidents 

- (S//REL) -45% Chinese dissidents 

- (S//REL) -10% Other 

• (TS//SI//REL) Adding 
BOXINGRUMBLE bots to 
DEFIANTWARRIOR 
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(U) There is 

Name Description 




QUANTUMINSERT • Man-on-the-Side technique 

• Briefly hi-jacks connections to a terrorist 
website 

• Re-directs the target to a TAO server (FOXACID) 
for implantation 



QUANTUMBOT • Takes control of idle IRC bots 

• Finds computers belonging to botnets, and 
hijacks the command and control channel 

QUANTUMBISCUIT • Enhances QUANTUMINSERT’s man-on-the-side 

technique of exploitation 

• Motivated by the need to Ql targets that are 
behind large proxies, lack predictable source 
addresses, and have insufficient unique web 
activity. 

QUANTUMDNS • DNS injection/redirection based off of A Record 

queries. 

• Targets single hosts or caching name servers. 

QUANTUMHAND Exploits the computer of a target who uses 

Facebook 



QUANTUMPHANTO Hijacks any IP on QUANTUMable passive coverage to 

use as covert infrastructure. 



CNA 



QUANTUMSKY Denies access to a webpage through RST packet 

spoofing. 



QUANTUMCOPPER File download/upload disruption and corruption. 



2005 



Operatio Highly Successful 

PI q | (In 2010, 300 TAO implants 

were deployed via 
QUANTUMINSERT to targets that 
were un-exploitable by any 
other means) 



Aug 2007 


Operatio 

nal 


Highly Successful 

(over 140,000 bots co-opted) 


Dec 2007 
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nal 


Limited success at 
NSAW due to high 
latency on passive 
access 

(GCHQ uses technique for 80% 
of CNE accesses) 


Dec 2008 
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Successful 

(High priority CCI target 
exploited) 
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Live 
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1- A client requests connection to malicious server. 
Request is detected by TURMOIL CLOUDSHIELD 
terminates client-side connection. 

2 . The malicious server's response is blocked by 
CLOUDSHIELD. 



3 . TURMOIL tips TURBINE, which then tasks a shooter to 
send the acknowledgement to the malicious server. 

4 . Malicious server assumes connection and forwards 
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(U//FOUO) Future Capability: QUANTUMSANDM 
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(U) Future Work 



• (U//FOUO) Develop lower latency guards 

• (S//REL) Use TUTELAGE inline devices as our 
“shooter” 

• (U//FOUO) Push decision logic to the edge 



• (U//FOUO) Identify more mission opportunities 

• (U//FOUO) Continue developing and deploying 
additional QUANTUM capabilities 
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(U) There is 

Name Description 




QUANTUMINSERT • Man-on-the-Side technique 

• Briefly hi-jacks connections to a terrorist 
website 

• Re-directs the target to a TAO server (FOXACID) 
for implantation 



QUANTUMBOT • Takes control of idle IRC bots 

• Finds computers belonging to botnets, and 
hijacks the command and control channel 

QUANTUMBISCUIT • Enhances QUANTUMINSERT’s man-on-the-side 

technique of exploitation 

• Motivated by the need to Ql targets that are 
behind large proxies, lack predictable source 
addresses, and have insufficient unique web 
activity. 

QUANTUMDNS • DNS injection/redirection based off of A Record 

queries. 

• Targets single hosts or caching name servers. 

QUANTUMHAND Exploits the computer of a target who uses 

Facebook 



QUANTUMPHANTO Hijacks any IP on QUANTUMable passive coverage to 

use as covert infrastructure. 



CNA 



QUANTUMSKY Denies access to a webpage through RST packet 

spoofing. 



QUANTUMCOPPER File download/upload disruption and corruption. 



2005 
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PI q | (In 2010, 300 TAO implants 

were deployed via 
QUANTUMINSERT to targets that 
were un-exploitable by any 
other means) 



Aug 2007 
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Highly Successful 

(over 140,000 bots co-opted) 


Dec 2007 
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nal 


Limited success at 
NSAW due to high 
latency on passive 
access 

(GCHQ uses technique for 80% 
of CNE accesses) 


Dec 2008 
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Successful 

(High priority CCI target 
exploited) 


Oct 2010 
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Successful 


Oct 2010 


Live 

Tested 


N/A 
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Dec 2008 Live 
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N/A 
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(U) QUESTIONS? 



For more information, please contact: 



TUTELAGE - 
QUANTUM - 
TURBINE - 
BOXINGRUMBLE - 
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